Privacy Policy

Introduction

Welcome to Zappy Technology Limited's privacy policy. At Zappy Technology Limited, we prioritize the protection of your personal data and respect your privacy rights. This policy outlines how we handle your personal data when you use our services, visit our website, or engage with any of our products and services. We also inform you about your privacy rights and how they are protected by law.

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The retained EU law version of the GDPR in the UK ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018") set out the framework for data protection law in the UK.

The Lei Geral de Proteção de Dados Pessoais - LGPD, law number 13.709, dated 14th August 2018 ("LGDP"), is the Brazilian data protection law, which creates the legal framework for the use of personal data of individuals in Brazil regardless of where the data processor is located, as further detailed in section 9 of this Policy.

Purpose of this Privacy Policy

In this Data Privacy Notice ("Privacy Notice") we explain how we collect and use your personal information that we obtain when you use our services, visit or use our websites or mobile applications or otherwise interact with us in the European Economic Area ("EEA"), how we share your information and the steps we take to protect your information. This website and the services that Zappy Technology Limited provider are for adults over the age of 18 only.

It is important that you read this privacy policy together with any other policies we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements the other policies and is not intended to override them.

Zappy Technology Limited acts as the data controller and is responsible for your personal data (collectively referred to as “COMPANY”, “we”, “us” or “our” in this privacy policy).

And will be the "data controller" in relation to any Personal Data provided to us directly in person, or via email, phone, and post or via the following website https://zappy.uk.com (the "Website"). This means that Zappy Technology Limited is responsible for deciding how it will hold and use Personal Data about you.

Contact Details

Zappy Technology Limited
16 Beech Way,Wheathampstead,
St Albans, United Kingdom, AL 4, 8LY

We have appointed an external data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the external DPO using the details set out below.

CHANGES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES

This version was last updated on 01/03/2024 and historic versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third Party Links

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read.

By using or navigating the Website or any product or service offered by us (collectively, the "Services"), you acknowledge that you have read, understand and agree to be bound by this Privacy Notice. You should not provide us with any of your information if you do not agree with the terms of this Privacy Notice.

2. The Data We Collect About You

"Personal Data" means any information that enables us to identify you or the beneficiary of your transaction with us, directly or indirectly, such as name, email, address, telephone number, any form of identification number or one or more factors specific to you or your beneficiary's physical, physiological, mental, economic, cultural or social identity.

Personal Data you give us. We may collect Personal Data when you give it to us, including when you indicate that you would like to receive any of our Services, when you register with us, when you complete forms online, when you speak to us over the telephone, when you speak to us in person, when you write to us and when you visit the Website and, in certain circumstances as set out in this Privacy Notice, We will also collect details of transactions you carry out through the Website and of the fulfilment of such transactions.

The types of Personal Data we collect will depend on the products or services you have requested from us. Any Personal Data collected is necessary for us to perform a contract and without such data, we may not provide the desired Services.

We may collect and process the following Personal Data:

• Personal details, such as data which may identify you and/or the beneficiary of your transaction with us. This may include name, title, residential and/or business address, email, telephone and/or fax numbers and other contact data, date of birth
• Financial details, such as data relating to you and your beneficiary's payment data and bank account obtained for the purposes of money transfers; and/or
• Additional details requested by law enforcement or requested pursuant to our compliance procedures in connection with efforts to prevent
• Cookies and similar technologies. When you use our Website, we collect information via cookies and similar technologies, including the IP address of visitors, browser type and version, time zone setting, screen resolution settings, browser plug-in types and versions, operating system and platform.
• To measure the use of our Website and Services, including number of visits, average time spent on a Website, pages viewed, page interaction data (such as scrolling, clicks, and mouse- overs) etc., and to improve the content we offer;
• To administer the Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; and
• As part of our efforts to keep the Website safe and secure.

If You Fail to Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

3. How do we use your Personal Data?

We use Personal Data and other data you provide to us only for the following purposes permitted by applicable laws:

• When necessary for the performance of a contract with you: we may use your data on the basis of our need to perform our obligations under a contract with you, to complete your transactions or other requests made by you, to respond to and process your queries or requests, or to contact you as necessary in connection with our performance of a contract with you. For example, if you enter into a contract for our Global Business Payments services, your data will necessarily be shared with the payment service provider that will pay out funds to your designated beneficiary in the Global Business Payments destination country and it may be used if we find it necessary to contact you in connection with our contract;
• When necessary to comply with a legal or regulatory obligation: we may use your data to comply with legal requirements and/or regulations specific to our business. For example, when you contract with us for Global Business Payments, we are required to perform a certain level of due diligence prescribed by law and/or commensurate with any assessed risk which may result in the reporting of your data to legal and/or regulatory authorities and/or a request from us for additional information from you to assist in our risk assessment and/or to satisfy our compliance obligations;
• When necessary in the pursuit of a legitimate interest of Zappy technology Limited: if you provide information to us online or transact with us online, we may use your data to improve the content of our Website and Services in order to enhance your experience. We may use data, such as IP addresses and anonymous demographic data, to tailor your experiences with our Services by showing content in which we think you will be interested and displaying content according to your preferences. We may use aggregate data for a variety of purposes, including analysing user behaviour and characteristics in order to measure interest in (and use of) the various portions and areas of our Services. We also may use the data collected to evaluate and improve our Services and analyse traffic to our Services.

If in the future we use your Personal Data in the pursuit of our legitimate interest, we will strive to align our interests with yours such that under no circumstances will your data be used except as consented to by you or as otherwise permitted by applicable laws.

In some circumstances, we may anonymise your Personal Data so that it can no longer be associated with you, in which case we may use such data without further notice to you. Is data collected shared with third parties?

Third-party service providers

We may share your Personal Data with the following categories of third-party service providers to manage, enable or facilitate certain aspects of the Services (including the maintenance of our servers and processing or fulfilling orders for transactions):

• Compliance verification service providers
• Financial services providers, such as banks
• Credit control agencies

Corporate process

We may transfer your Personal Data to a third party as a result of a sale, acquisition, merger or reorganisation, we will take reasonably appropriate steps to make sure that your information is properly protected.

Legal and regulatory

We may also disclose your Personal Data in special cases if required to do so by law enforcement agencies, law, court order, or other governmental authority, or when we believe in good faith that disclosing this data is otherwise necessary or advisable, such as to identify, contact, or bring legal action against someone who may be causing injury to–or interfering with; the rights or property of Zappy Technology Limited, the Services, another user, or anyone else that could be harmed by such activities (for example, identify theft or fraud).

4. International Transfers

The nature of our products and Services means that we may need to share your Personal Data with recipients based in countries outside of the United Kingdom, including in the EEA and outside the EEA. The countries to which we may need to send your information would normally be obvious to you based on your requested transaction.

As explained above, we may share your personal data with our payment processing partners, which may involve transferring your data outside the EEA. Where we do so, we will ensure a similar level of protection to that afforded in the EEA; for example, on the basis the relevant recipient country has been deemed by the European Commission to provide an "adequate" level of protection for Personal Data or by contractual provisions that seek to ensure a level of protection and safeguarding of Personal Data.

If our use of third-party service providers involves sharing your Personal Data outside the EEA, we will make sure the service provider provides safeguards and assurances regarding the protection of your Personal Data.

5. How long is Personal Data retained?

Personal Data is used for different purposes and is subject to different standards and regulations. In general, Personal Data is retained for as long as necessary to provide you with the Services you request, to comply with applicable legal, accounting or reporting requirements and to make sure that you have a reasonable opportunity to access the Personal Data.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

• Legal and Regulatory Requirements. Zappy Technology Limited shall retain Personal Data and transactional data for those periods required to comply with all retention and reporting obligations under applicable laws, including without limitation commercial, tax and anti-money laundering laws and regulations. Generally, this retention period will be a minimum of five years from the date of your transaction or the date our business relationship with you is terminated,
• Customer Service (administration of customer relationship, complaint handling, etc.). Zappy Technology Limited may process and retain your Personal Data for as long as we have an on-going relationship with you. Once our relationship has ended (for example because the Services have been delivered and paid for in full, or you have exercised your right to withdraw from the contract), we will, subject to any retention requirements under applicable laws, erase or anonymise your Personal Data.

6. Is the correspondence that you sent to us saved?

Yes. If you send us correspondence, including emails and faxes, we may retain such data along with any records of your account. We may also retain customer service correspondence and other correspondence involving you, us, our partners, and our suppliers. We will retain these records in line with our Retention Policy.

7. Data Security

We are committed to maintaining the security of your Personal Data and have measures in place to protect against the loss, misuse, and alteration of the data under our control. We employ modern and secure techniques to protect our systems from intrusion by unauthorised individuals, and we upgrade our security regularly as better methods become available. Our data centers and those of our partners utilise state-of-the-art physical security measures to prevent unauthorised access to the facility. In addition, all Personal Data is stored in a secure location behind firewalls and other sophisticated security systems with limited (need-to-know) administrative access.

All Zappy technology Limited employees who have access to, or are associated with, the processing of Personal Data are contractually obliged to respect the confidentiality of your data and abide by the privacy standards we have established. Please be aware that no security measures are perfect or impenetrable. Therefore, although we use industry-standard practices to protect your privacy, we cannot (and do not) guarantee the absolute security of Personal Data.

8. What are my data protection rights?

Subject to verification of your identity, you may request access to and have the opportunity to update and amend your Personal Data. You may also exercise any other rights you enjoy under applicable data protection laws. Please use the contact details in Section 1 of this Privacy Notice.

"Data Subjects" have the right to:

• To be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR and DPA 2018. This Privacy and our cookie policy meet this requirement;
• Request access to any Personal Data we hold about them as well as related data, including the purposes for processing the Personal Data, the recipients or categories of recipients with whom the Personal Data has been shared, where possible, the period for which the Personal Data will be stored, the source of the Personal Data, and the existence of any automated decision making;
• Request rectification of your personal data: This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us;
• Request erasure of your personal data: provided the Personal Data is not required by us, for compliance with a legal obligation under applicable law or for the establishment, exercise or defense of a legal claim;
• Object to processing: of your personal data; Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;
• Request restriction: of processing your personal data: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; or (b) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it;
• Data Portability: under certain circumstances, request the transfer of Personal Data directly to a third party where this is technically feasible.

9. LGPD Brazil Your Rights

The Brazilian General Data Protection Law ( Lei Geral de Proteção de Dados Pessoais or LGPD) is a new law that was passed by the National Congress of Brazil on August 14, 2018 and comes into effect on August 15, 2020.

The LGPD creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located. It is closely modelled after the European Union's General Data Protection Regulation (GDPR) and like GDPR, the LGPD has far reaching consequences for data processing activities in and outside of Brazil.

• Right of confirmation of the existence of the processing of your data: You may request confirmation of processing of your data;
• Right of Access: Users have the right to access their data being processed by the us by completing a data subject access form;
• Data Portability: You have a right to the portability of your data to another service or product provider, upon express request, in accordance with the regulations of the national authority and subject to commercial and industrial secrets;
• Rectification: You have the right to have your personal data rectified if it is inaccurate or incomplete;
• Anonymization: You are entitled to request the anonymization, blocking or elimination of unnecessary or excessive personal data, or of any data that is not being processed in compliance with LGPD;
• Deletion: You have the right to have your personal data deleted if the processing of that data was based on consent;
• Information: You have the right to be informed about sub-processors and other third parties that access or process your personal data. You also have the right to be informed about their consent choices and the consequences of refusing consent;
• Revocation: You have the right to revoke or withdraw consent;
• Bring a Complaint: You have the right to lodge with the Data Protection Authority (DPA);
• Object: You have the right to oppose the processing of your personal data where there is non-compliance with the provisions of the law;
• Request a Review: You have the right to request the review of decisions made solely based on automated processing of personal data which affect your interests. If you wish to action any of the above requests, please email us at hello@zappy.uk.com .

10. Privacy-related complaints procedure

Where you believe that we have not complied with our obligations under this Privacy Notice or the applicable law, you have the right to make a complaint to a Data Protection Authority or through the courts.

Although not required, we would encourage you to let us know about any privacy-related complaint you might have, and we will respond in line with our complaint’s procedure–our contact details are set out below.

Privacy-related complaints or concerns can be lodged with our privacy team:

• By email at: hello@zappy.uk.com
• By post to: Zappy Technology Limited
  Attn.: Data Protection Officer
  Zappy Technology Limited - 16 Beech Way, Wheathampstead, St Albans, United Kingdom, AL 4, 8LY.

Zappy Technology Limited employees are required to direct any privacy-related complaints or concerns to our privacy team.

Zappy Technology Limited will aim to send an acknowledgement within 10 days of receipt of the complaint/concern.

Zappy Technology Limited will investigate in accordance with relevant laws and will aim to respond substantively within one calendar month of receipt of the complaint/concern.

If further time is required to investigate your complaint/concern, Zappy Technology Limited will write to you within one calendar month of receiving the complaint/concern, informing you of the investigation timeline which will be no longer than an additional two months for the complaint procedure to be concluded.

In the case of a rejection of the complaint, Zappy Technology Limited will provide you with a written explanation for the rejection.

If the complaint/concern is considered justified, Zappy Technology Limited will take reasonable steps to try to address the complaint/concern to your reasonable satisfaction.

If you are not satisfied with the reply/outcome, or otherwise with the handling of the complaint, you have the right to lodge a claim before a relevant Data Protection Authority or the courts. In the United Kingdom, the Data Protection Authority is the:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510
Email: hello@zappy.uk.com

For all other complaints or concerns about our Services that are unrelated to privacy, please contact our Customer Service Team on + 44 (0) 203 206 1551

11. Contact us

If you have any questions or concerns about this Privacy Notice or Zappy Technology Limited data practices, please contact our privacy team:

• By email at: hello@zappy.uk.com
• By post to: Zappy Technology Limited
  Attn.: Data Protection Officer
  Zappy Technology Limited - 16 Beech Way, Wheathampstead, St Albans, United Kingdom, AL 4, 8LY.

Submit a data subject access request

Any complaints will be handled in line with our complaints procedure as set out in Section 12 of this Privacy Notice.

12. Policy Updates

Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually, and whenever changes to such laws and regulations are made privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.

Thank you for entrusting your personal data to Zappy Technology Limited.

©All rights reserved 2025 Zappy Technology Limited.